[Bro] "bro-cut -d | grep" vs. "grep | bro-cut -d"
James Lay
jlay at slave-tothe-box.net
Fri Mar 29 09:34:46 PDT 2013
On 2013-03-29 09:50, Jesse Bowling wrote:
> Hi James,
>
> I asked a similar question under a subject like "Feature request; up
> to 50% done?" and got this answer from Seth, which solves some of the
> problems I think youre trying to solve...
>
> Cheers,
>
> Jesse
>
> On Feb 11, 2013, at 4:17 PM, Jesse Bowling <jessebowling at gmail.com
> [4]> wrote:
>
> > So, I suppose Im requesting that someone with more gawk chops than
> myself give a shot at integrating this into bro-cut
>
> I tend to use these lines in my profile...
>
> alias bro-column="sed "s/fields.//;s/types.//" | column -s $t -t"
> alias bro-awk=awk -F" "
> bro-grep() { grep -E "(^#)|$1" $2; }
> bro-zgrep() { zgrep -E "(^#)|$1" $2; }
>
> What youre trying to do can then be accomplished like this…
>
> bro-zgrep 10.10.10.10 /usr/local/bro/logs/conn.*.log.gz | bro-cut
> id.orig_h,id.resp_h
>
> It *would* be handy to be able to do this through bro-cut though but
> that would make bro-cut start to sound like an incorrectly named
> utility. :)
>
> Have you tried using the ElasticSearch writer and Brownian?
>
> .Seth
Thanks for the repost Jess, that helps :)
James
More information about the Bro
mailing list